Password Security and Game Theory

Over the last few days or so, I have done much fretting about this article in The Atlantic by James Fallows. The story of how Fallows’ wife had her Gmail account hacked by someone who used it to try and extort money out of her friends and contacts and, to add insult to injury, deleted years of email data, is disturbing. To be sure, it is not disturbing because it is some crime on the high horror end of evil in humanity. Far from it. Instead, it is personally disturbing because ‘it could happen to you’ and when it comes down to it, apart from sporadic episodes (as I have just experienced), we pay little attention to Internet security. To be sure, in this instance, the cost was primarily inconvenience and some embarrassment. But it is precisely the sort of thing we try to set up our lives to avoid.

Now the article documented how Google was not much help in this situation. After all, it commits itself to getting rid of lots of data for privacy reasons. But in the end, they did restore much of the lost emails. The point is that Google has a problem in this situation — if your identity has been stolen, that makes it hard for Google to work out who you are. In the end, what Google offers is a 2-step verification process that I gather few people have undertaken. That process links your account to a mobile phone so that if someone tries to hack into your account from another part of the world, without access to your phone they will get no further even if they are handed your password on a platter.

So I went through the process of trying Google’s 2-step procedure out. Registering was easy enough. Google also offers the ability to add another mobile number just in case you lose the first one. They also give you some codes that can allow you to reset everything too but you’ll have to keep them in a safe place. What this does is that it requires you to enter a code every time you use Gmail from another device. That’s fine and well but as I found out a few times, sometimes the text message doesn’t come through. Then you have to find the other numbers and things get complicated. Also, you have to do this every 30 days. Moreover, when it comes to other applications that access email (like Outlook or Mac Mail or mail on your smartphone) you have to generate specific ‘hard’ passwords for each of these. Sometimes that worked but my Mac Mail didn’t like that at all and I had to restore the whole lot. Now, of course, I have gone through the set-up but upon reflection I’m not sure that is the way to go. And I have begun to wonder how much of a pain that might all be should I pass on trying to find my iPhone which I had thought might be buried with me.

For providers, like Google, who try to ensure security, their role requires balancing two-sides of the market. On the one side you have users (and I mean users in the sense of Dave Barry’s dictum that ‘users are what computer professionals call you when they mean idiot’). Users was convenience and as we know hate security. Complex passwords are a pain. Changing them requires memory (indeed, requiring it leads people for more simplicity and to leave passwords lying around). And the sheer contemplation of your odds of being hacked seem to diminish fear.

On the other side, you have criminals. Now, criminals fall into two camps. First, there are generic scammers who use massive computer assistance to find random vulnerable people and try and exploit the situation. Those are the ones who can easily get around weak passwords and it is those that Google’s additional security likely thwarts. Second, there are sophisticated criminals who have identified you specifically and are targeting you. One class of these may just want some information from you. The bad news is that is likely to be harmful in some unexpected and probably financial way. The good news is that they likely don’t want you to know they have your information and so they won’t change passwords, scam your friends or delete all your data. That would signal something is amiss. Another class may have a more sinister agenda. The problem is that in both these cases, if you are being targeted, then Google’s security won’t help. They just need to get their hands on your mobile phone as well as your password. The point here is that there is pretty much no amount of security that will stop the sophisticated criminal and so you just have to be alert. All of the other security is to stop generic scammers.

So Google can enhance security and reduce scammers. The 2-step procedure does this. But I wonder if this is overkill. For example, a required strong password will dramatically reduce the odds of being hacked. In addition, if you have protected yourself using a 2-step procedure, the scammers don’t find that out until they have your password and are asked for a verification code. The game theorist in me considers that a problem. Why? Because once they have your password, they have a big incentive to work out how to get their hands on your phone. What you want is for them to be deterred before that.

That said, there is a social issue here. That is what you want but it isn’t likely to be good for society. Ian Ayres and Steve Levitt famously studied Lojak — a Google 2-step equivalent for car theft. Lojak is installed secretly in cars so that if they are stolen they can be easily tracked. That makes them better than ‘The Club’ put on steering wheels that just causes thieves to move on from your car and on to the next. Lojak creates doubt in the criminal mind and therefore actually deters crime. Of course, those paying for Lojak are forking out to subsidise those who don’t just as I just ‘payed’ on the Google front.

Apple with iCloud have gone for the stronger password route. It took me a good five minutes for me to find one there. So, in effect, Apple have played ‘The Club.’ If you are a criminal you are better off trying to hack a random Gmail customer than an iCloud one. That is, the criminals move on.

Is there a solution to this in the future that balances the incentives of users and criminals? I hope there is and there is certainly a big opportunity to provide one. But it is not like this problem has been unknown and still we haven’t resolved it.

Faced with all of this, right now the best course of action (for yourself, I’ll leave it to another time to solve society’s issues) appears to do the following. First, select an informationally complex password that is easy to remember. If you are wondering how to do that look at this xkcd comic and try this website. You can also use 1Password of LastPass to generate hard to crack passwords and remember them for you but that requires having a device near you if something goes array. In any case, at the very least, set hard passwords for your most important logins and set different passwords for stuff you could care less about. Second, back up your data. For Gmail, that means downloading it to a client or using a service like Backupify. That, I suspect, will dramatically minimize your chances of becoming Fallows’ wife. Nothing here stops you from also using Google’s second step but, as I said, I wonder if it is worth it. That said, anyone out there reading this can be sure, having sunk the costs, I’ve locked it all down.

3. Even if you think your password is complicated, this doesn’t mean that it is hard to break. Newer hacking techniques don’t just attack your password. They also exploit vulnerabilities in how that information is processed on the server side. For example Rainbow Tables exploit the fact that passwords are hashed when stored. They greatly shorten the time to crack even seemingly complicated passwords. Take a look at this before you get too confident about your “difficult” password, please.http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html

4. Two-factor authentication solves a DIFFERENT type of problem. Not just protecting complicated passwords. But adding a different layer. For example if you browse a website and it installs malware on your computer, that could capture your keystrokes and send your password to a hacker REGARDLESS of how complex it is. In that case a hacker would be able to login to your account from afar if you did not use 2-factor authentication. Another example is if you use the same password on multiple web services, e.g., Google and Amazon. If one service gets compromised (Google) that would enable access to your other accounts (Amazon).

This is not to say 2-factor authentication solves all the problems. Only that it adds an extra layer of protection along a different dimension. Whether it is worthwhile depends on how one judges the risks.